Category: Computer Security

Want a chance to get a signed copy of my latest Kali Linux book? I am giving away a total of 10 signed copies of “Basic Security Testing with Kali Linux, 3rd Edition”!

Simply follow, like and share this article, or my official Twitter or Instagram announcement, for a chance to win a signed copy of my new book!

10 lucky winners will be randomly selected on October 31st.

The Contest is for those living in the United States only. I may do another one for international readers in the future.

Liking this article & sharing the Official Contest announcements on Twitter and Instagram will increase your chances of winning. Winners will be notified on October 31st. If a winner cannot be notified or does not respond by the end of the first week of November, another winner will be picked.

UPDATE 4/3 – The Contest is now over, and winners have been notified. Thank you everyone for your interest and support!

Want a chance to win a signed copy of “Intermediate Security Testing with Kali Linux 2”?

This almost 500 page hands-on, step-by-step tutorial style book doesn’t dwell on the theory of security, but instead walks you through implementing and using the latest security tools and techniques using the most popular computer security testing platform, Kali Linux:

Simply share a link to this article on your favorite social media site. Then place a copy of the link in the comments field below. Winners will be chosen at random in two weeks (April 1st) from links in the comments section.

Windows includes a built in program that captures screenshots and text descriptions of what a user is doing on their system. This program could be accessed remotely by a hacker. In this article we will see how to run the program from a remote shell using Metasploit.

Introduction

Windows includes a great support program that you have probably never heard of called “Problem Steps Recorder” (psr.exe). Microsoft made this program to help troubleshooters see step-by-step what a user is doing. If a user is having a computer problem that they either can’t articulate well or tech support just can’t visualize the issue, all the support personnel needs to do is have the user run psr.exe.

When PSR runs it automatically begins capturing screen captures of everything that the user clicks on, it also keeps a running dialog of what the user is doing in a text log. When done, the data is saved into an HTML format and zipped so all the user needs to do is e-mail this to the tech support department.

I have honestly never heard of PSR before yesterday when Mark Burnett (@m8urnett) mentioned it on Twitter:

Creepy indeed, but I thought that if you could run it remotely, it would be a great tool for a penetration tester. Well, you can! Though running PSR as an attack tool isn’t a new idea. I did some searching and it is mentioned multiple times over the last several years in this manner. Pipefish even mentions using it with Metasploit back in this 2012 article (http://pipefish.me/tag/psr-exe/).

To use Steps Recorder normally, all you need to do is click the start button in Windows and type “psr” into the search box. Then click on “Steps Recorder”.

A small user interface opens up:

Just click “Start Record” to start. It then immediately begins grabbing screenshots. It displays a red globe around the pointer whenever a screenshot is taken. Then press “Stop Recording” when done. You will then be presented with a very impressive looking report of everything that you did. You then have the option of saving the report.

PSR can be run from the command prompt. Below is a listing of command switches from Microsoft :

Using PSR remotely with Metasploit

Using the command line options, PSR works very nicely with Metasploit in a penetration testing scenario. I will start with an active remote Meterpreter session between a test Windows 7 system and Kali Linux. There are many ways that you could do this, but I simply made a short text file as seen below:

psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;

Start-Sleep -s 20;

psr.exe /stop;

The commands above start PSR, turns off that pesky Gui window that pops up when running and turns off the red pointer glow when recording pages. It then saves the file to the desktop.

The script waits 20 seconds and then stops recording.

I then encoded the command and ran it in a command shell:

After 20 seconds a new “cool.zip” file popped up on the Windows 7 desktop:

This file contained a complete step by step list of everything the user did during the 20 second window. At the top of the file are the screenshots:

And at the bottom was the step by step text log:

I actually like using PSR now better than Metasploit’s built in screenshot capability, especially with the blow by blow text log that is included. The script also worked well against Windows 10 with some minor tweaks.

Defending against this attack

Problem Steps Recorder can be disabled in group policy. Though I did not see anywhere on how to completely uninstall PSR.

The best defense is to block the remote connection from being created, so standard security practices apply. Keep your operating systems and AV up to date. Don’t open unsolicited, unexpected or questionable e-mail attachments. Avoid questionable links, be leery of shortened URLs and always surf safely.

With all the news of router exploits and compromised units being used by hacker groups for attacks, make sure you include installing router firmware updates as part of your scheduled maintenance routine. Just don’t trust the built in “Update” feature…

One top name router I was working with yesterday needed updating. I went into the router admin screen and dutifully checked the “Check for Update” button. Good news – the router checked the manufacturer’s site and was using the latest firmware!

But it wasn’t…

I knew the manufacturer had just released a new critical firmware update. Doing a manual check on the support site verified my suspicion – the currently installed version was several months and several revisions old! If I believed that the router was using the current one, it would have remained vulnerable!

Sometimes router updates are not set as the latest version on the manufacturer’s update server. Check your firewall/routers/ Wi-Fi devices manually and make sure they are using the latest and greatest firmware. Also, never leave default credentials set on these devices, especially internet facing ones – use long complex passwords.